+ Post New Thread
Results 1 to 10 of 10
Windows Thread, How to find out who deleted what in Technical; Is there anyway to find out who deleted (or even modified) a file from a network share? (Windows Server 2003)...
  1. #1

    Join Date
    Sep 2008
    Location
    Cardiff
    Posts
    19
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0

    How to find out who deleted what

    Is there anyway to find out who deleted (or even modified) a file from a network share? (Windows Server 2003)

  2. #2

    elsiegee40's Avatar
    Join Date
    Jan 2007
    Location
    Kent
    Posts
    10,698
    Thank Post
    1,781
    Thanked 2,168 Times in 1,603 Posts
    Rep Power
    769
    Do you have volume shadow copy? That will help you to establish a short time frame when the file was deleted and may help to identify the culprit.

  3. #3

    Join Date
    Sep 2008
    Location
    Cardiff
    Posts
    19
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Nope

    (needed a few extra chars to post so here's some)

  4. #4

    Join Date
    Feb 2006
    Location
    Derbyshire
    Posts
    1,381
    Thank Post
    181
    Thanked 211 Times in 171 Posts
    Rep Power
    65
    After the deletion and before the planning on what to do about deleted files? No. You'd need file auditing turned on before the file was deleted, not after - but setting it up may help you in future situations.

  5. #5

    Join Date
    Sep 2008
    Location
    Cardiff
    Posts
    19
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yeah thought auditing would be necessary, will turning it on slow things down at all/much?

    Just had a look at it now, do I just add the Network Shares to the list of audited 'files' on the group policy for the dc(s)?
    And is it in Event Viewer where I'd find details of what's gone on then?
    Last edited by Chrish5; 16th October 2008 at 04:23 PM.

  6. #6

    Join Date
    Feb 2008
    Location
    south coast
    Posts
    173
    Thank Post
    0
    Thanked 2 Times in 1 Post
    Rep Power
    14
    not sure if it works if modified but when someone puts a file somewhere you can track it back to who the owner is. dont know if this helps?

  7. #7

    Join Date
    Apr 2007
    Location
    Corby, Northants
    Posts
    48
    Thank Post
    8
    Thanked 9 Times in 8 Posts
    Rep Power
    16
    Quote Originally Posted by Chrish5 View Post
    Yeah thought auditing would be necessary, will turning it on slow things down at all/much?

    Just had a look at it now, do I just add the Network Shares to the list of audited 'files' on the group policy for the dc(s)?
    And is it in Event Viewer where I'd find details of what's gone on then?
    Hi Chris

    To set up auditing, modify the group policy affecting the server containing the files. You need to navigate to Computer Config, Windows Settings, Security Settings, Local Polices, Audit Policy, and set the "Audit Object Access" setting to audit for Success and/or Failure.

    Then, navigate the folder that you wish to audit, bring up its properties, then security. Click on "Advanced", and then the auditing tab. From here, you can add users or groups to audit for this folder, and define what actions to audit, E.g. Delete, Delete Sub Folders and Files, Modify Etc.

    Any collected data will appear in Event Viewer, under security.

    Hope this helps


    Maria

  8. Thanks to MPorter from:

    Chrish5 (16th October 2008)

  9. #8

    Join Date
    Sep 2008
    Location
    Cardiff
    Posts
    19
    Thank Post
    1
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Cheers for that - I did some of that before I left this evening - I'll follow what you said tomorrow.

    And to all those concerned don't worry I didn't lose anything important as the backups were fine. Just wanted to sort this out for the future so I know which teacher to shout at/ridicule.
    Last edited by Chrish5; 16th October 2008 at 05:34 PM.

  10. #9

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Be very careful when enabling auditing. If you specify too much, the event logs will get full very quickly.

    Auditing is only good if you can spend the time looking through hundreds of logs.

  11. #10

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,154
    Thank Post
    114
    Thanked 527 Times in 450 Posts
    Blog Entries
    2
    Rep Power
    123
    It can generate lots of data - you will certainly want to increase the size of log allowed.

    You then need to look at some of the tools available for monitoring logs and helping you to find useful info.

    Microsoft have a couple which can help - logparser and eventcomb (this is a resource kit tool; it does lots of stuff but can be helpful)

SHARE:
+ Post New Thread

Similar Threads

  1. Deleted Topic
    By willkeddie in forum Educational IT Jobs
    Replies: 12
    Last Post: 12th August 2007, 12:42 PM
  2. message deleted
    By thekenshogroup in forum Educational IT Jobs
    Replies: 10
    Last Post: 12th March 2007, 10:02 AM
  3. Where do deleted file go?
    By Furan in forum Windows
    Replies: 14
    Last Post: 10th February 2006, 03:03 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •